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DETAILED ACTION 

Continued Examination Under 37 CFR 1.114 

A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .1 7(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
10/26/2009 has been entered. 

Notice to Applicant 

This communication is in response to the amendment filed on 10/26/2009. 
Claims 1-5, 7-33 and 35-38 are pending in the application. Claims 1 , 1 1 , 22 and 29 
have been amended. 

Response to Arguments 

Applicant's arguments filed 10/26/2009 have been fully considered but they are 
not persuasive. 

The examiner notes the arguments directed to Davis in view of Ravi, Remer, and 
Cromer failing to teach or suggest "...the one of the clients detecting a message 
requesting a secure network connection for the encrypted traffic flow, in response to 
detecting the message, the embedded agent of the one of the clients verifying, prior to 
any allowing of the requested secure network connection, that a platform of the one of 
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the clients is not in a compromised state at a time before providing access to the 
encrypted traffic flow,..." are not persuasive. 

The examiner disagrees and notes that the combination of Davis in view of Ravi, 
Remer, and Cromer does indeed disclose the claimed limitation. 

The examiner notes that Remer was taught to disclose "the one of the clients 
detecting a message requesting a secure network connection for the encrypted traffic 
flow". The examiner notes Remer discloses sending a message to a source entity in 
which the sender wishes to establish a secure connection (see at least, col. 10, lines 4- 
7). The examiner notes the interpretation that the source entity would have to "detect" 
(e.g. be able to receive) the message sent by the sender in order to find out that a 
sender wishes to establish a secure network connection. From here further actions 
proceed after the message is detected in which HTTP requests are sent in order to 
establish the secure connection (see col. 10, lines 4-31) (e.g. this is a response to the 
detected message). From here the examiner notes the primary reference of Davis 
discloses prior to allowing of a secure connection, the embedded agent of the one of the 
clients verifying that a platform of the one of the clients is not in a compromised state at 
a time before providing access to the encrypted traffic flow and further notes this would 
further include in response to verifying (see at least, [0038] and [0042]). The examiner 
notes if a smart card is utilized it must be authenticated and verified (e.g. client platform 
is not compromised) before allowing communication (see at least, [0038]) and the 
security processing system also serves as a trusted hard ware device that can 
authenticate and communicate verification of the status of the input device (e.g. host 
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platform) to the host processor) (see at least, [0042]). The examiner notes that it would 
have been obvious to one of ordinary skill in the art to modify the teachings of Davis's 
verifying that a platform of one of the client's in not in a compromised state to require a 
message that requests secure communication and then provide process of further 
actions as deemed fit as taught by Remer. The examiner notes it is the combination of 
the references together that disclose the claimed invention. The examiner notes that 
one of ordinary skill in the art can modify the teachings of the reference(s) in order to 
achieve a predictable result. Further the examiner notes motivation was provided for 
such a proposed combination, therefore the examiner finds the arguments not 
persuasive. 



Application/Control Number: 10/809,315 
Art Unit: 2439 



Page 5 



Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1-4, 11, 13-16, 18-20, 22, 24-27, 29, and 30-32 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Davis et al. (US 2005/0076228 A1) in view of 
Ravi et al. (US 2005/0204155 A1) and Remeret al. (US 7,076,653 B1) and Cromer et 
al. (US 2005/0166213 A1). 

Claims 1. 11, 22, and 29 

Davis discloses provisioning a symmetric key across multiple clients through multiple 
embedded agents (see at least, abstract, [0025]: the examiner notes that a client can 
consist of a PDA, cellular phone, network-enabled device that is connected to a network 
and [0029]: the examiner notes a security processor is separate from the host processor 
and is noted to be the embedded agent and [0074]: the examiner notes the security 
processor's control processor (e.g. part of the embedded agent) contains symmetric-key 
encryption), each client having a corresponding one of the embedded agents, each 
embedded agent to store the symmetric cryptographic key in a storage accessible to the 
embedded agent ([0029]: the examiner notes a security processor is separate from the 
host processor and acts as the embedded agent and [0074]: the examiner notes the 
security processor's control processor (e.g. part of the embedded agent) contains 
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symmetric key encryption/decryption) and providing access to encrypted traffic flow in a 
network to one of the clients if the one of the clients is authenticated with the key (see at 
least, [0026]: the examiner notes the secure I/O system performs all network processing 
and [0048]: the examiner notes the security processor can perform IKE (e.g. internet 
key exchange is noted as a form of mutual authentication using pre-shared keys (e.g. 
symmetric, shared, or secret key) between multiple parties). Further Davis discloses 
that a secure memory not visible to applications and an OS running on the host platform 
and transparent network link (see at least, [0025]: the examiner notes security 
processing is segregated from other processing (e.g. protected) and [0026]: the 
examiner notes the security processing performs all network processing). Further Davis 
discloses a digital signal processor coupled with the host platform for use in a VPN (see 
at least, [0025]: the examiner notes a secure I/O allows for a VPN connection and 
[0030]: the examiner notes an interface may consist of a PHY layer processing (e.g. 
DSP)). 

Davis further discloses prior to allowing of a secure connection, the embedded 
agent of the one of the clients verifying that a platform of the one of the clients is not in a 
compromised state at a time before providing access to the encrypted traffic flow and 
further notes this would further include in response to verifying (see at least, [0038]: the 
examiner notes if (e.g.) a smart card is utilized it must be authenticated and verified 
(e.g. client platform is not compromised) before allowing communication and [0042]: the 
examiner notes the security processing system also serves as a trusted hard ware 
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device that can authenticate and communicate verification of the status of the input 
device (e.g. host platform) to the host processor). 

Davis fails to disclose that the storage accessible to the embedded agent is not 
directly accessible to a host processor on the client and further the providing including: 
the one of the clients detecting a message requesting having the embedded agent a 
secure connection for the encrypted traffic flow and in response performing a given 
action and in response to verifying, the embedded agent of the one of the clients 
providing the key and an assertion that the one of the clients is not compromised to a 
verification entity on the network. 

However Ravi discloses that the storage accessible to the embedded agent is 
not directly accessible to a host processor on the client having the embedded agent 
(see at least, abstract: the examiner notes a security processor (e.g. embedded agent) 
containing a first memory (e.g. storage) that is not accessible to the host processor). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the teachings of Davis's security processor to include a 
storage that is not directly accessible to a host processor on the client having an 
embedded agent as taught by Ravi. One of ordinary skill in the art at the time the 
invention was made would have been motivated to combine the teachings in order to 
ensure that the security processor can handle transactions involving accessing 
protected memory areas (see at least, Ravi, [0050]). 

Davis in view of Ravi fails to disclose further the providing including: the one of 
the clients detecting a message requesting a secure connection for the encrypted traffic 
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flow and in response performing a given action and in response to verifying, the 
embedded agent of the one of the clients providing the key and an assertion that the 
one of the clients is not compromised to a verification entity on the network. 

However Remer discloses one of the clients detecting a message requesting a 
secure connection for the encrypted traffic flow and in response performing a given 
action (see at least, col. 9, lines 55 - col. 10, line 31 : the establishment of a secure 
connection via the use of a message and further messages would entail performing a 
further action (e.g. http requests)) 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the teachings of Davis and Ravi to include the ability for 
one of the clients detecting a message requesting a secure connection for the 
encrypted traffic flow as taught by Remer. One of ordinary skill in the art at the time the 
invention was made would have been motivated to combine the teachings in order to 
ensure the ability to support multiple encryption and/or authentication schemes that may 
be utilized in a connection between two entities (see at least, Remer, col. 2, lines 39- 
43)). 

Davis in view of Ravi and Remer fail to disclose in response to the message 
requesting the secure connection and the verifying, the embedded agent of the one of 
the clients providing the key and an assertion that the one of the clients is not 
compromised to a verification entity on the network. 

Cromer discloses an agent providing the key and an assertion that the client is 
not compromised to a verification entity on the network (see at least, [0048] and [0056]: 
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the examiner notes ensuring the security of the computer system (e.g. verification 
entity) is not compromised by an unauthorized action by the remote client (e.g. client) 
and the use of public/private key algorithm to verify the remote client). Further Cromer 
discloses indicating being compromised and foreclosing network access if being 
compromised (see at least, [0048] and [0056]: the examine querying the integrity is a 
form of requesting (e.g. indicating) of being compromised and culminating without 
further processing is interpreted to be foreclosing). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the teachings Davis in view of Ravi to include the 
embedded agent providing the key and an assertion that the client is not compromised 
to a verification entity on the network as taught by Cromer. One of ordinary skill in the 
art at the time the invention was made would have been motivated to combine the 
teachings in order to manage a remote client on a computer system in a secure manner 
by verifying if the OS is not loaded or functioning (see at least, Cromer, [0008]). 

Claim 2 and 30 

Davis discloses wherein provisioning the key through the embedded agents further 
comprises provisioning the key through an embedded agent having network access via 
a network link not visible to a host operating system (OS) running on the client (see at 
least, [0025]: the examiner notes security processing is segregated from other 
processing (e.g. protected) and further this is interpreted to include OS processing and 
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[0026]: the examiner notes the security processing performs all network processing and 
would also be segregated from the other processing (e.g. OS processing of the client). 

Claim 3 and 31 

Davis discloses providing access to the traffic flow if the client is authenticated 
comprises the embedded agent authenticating the client over the network line not 
visible to the host OS (see at least, [0025]: the examiner notes security processing is 
segregated from other processing (e.g. protected) and further this is interpreted to 
include OS processing and [0026]: the examiner notes the security processing performs 
all network processing (e.g. [0048]: the examiner notes IKE is a form of authenticating 
over a network) and would also be segregated from the other processing (e.g. OS 
processing of the client). 

Claim 4 and 32 

Davis discloses wherein providing access to the traffic flow further comprises providing 
multiple clients access with the key to nodes in the network, the nodes in the network to 
decrypt the traffic flow and subsequently encrypt the traffic flow to transmit the traffic to 
a next node in the network (see at least, [0070]: the examiner notes symmetric key 
encryption and decryption processing within the security processing system for use in 
IKE). 
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Claim 13 

Davis discloses wherein the embedded device to have a transparent network link 
comprises the embedded device to have a network connection not accessible by the 
host platform, the link to comply with the secure sockets layer (SSL) protocol (see at 
least, [0025]: the examiner notes security processing is segregated from other 
processing (e.g. protected) and further this is interpreted to include OS processing and 
[0026]: the examiner notes the security processing performs all network processing 
(e.g. [0048]: the examiner notes IKE is a form of authenticating over a network) and 
would also be segregated from the other processing (e.g. OS processing of the client 
and [0076]: the examiner notes the use of SSL protocols). 

Claim 14 

Davis discloses wherein the embedded device to authenticate the apparatus comprises 
the embedded device to verify the identity of the apparatus to a network switching 
device with the key, the key to also be used by the network endpoints to verify their 
respective identities to the network switching device, and the network switching device 
to decrypt encrypted traffic from the apparatus and the network endpoints (see at least, 
[0074]: the examiner note IKE and the use of symmetric key encryption and decryption 
as a forum of authentication of identities between devices). 
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Claim 15 and 26 

Davis discloses wherein the embedded device to authenticate the apparatus comprises 
the embedded device to hash traffic to be transmitted with the key (see at least, [0069]: 
the examiner notes a cryptographic core for high-sped encryption and hash processing 
for packet data). 

Claim 16 and 27 

Davis discloses wherein the embedded device to authenticate the apparatus comprises 
the embedded device to perform cryptographic services with the key on traffic to be 
transmitted (see at least, [0074]: the examiner notes IKE and the use of symmetric key 
encryption and decryption for traffic to be transmitted). 

Claim 18 

Davis discloses further comprising a second embedded computation device, the second 
computation device integrated on the host platform, to verify the security of the host 
platform (see at least, [0080]: the examiner notes an anti-tamper system is embedded 
device that contains circuits to check health and integrity of the content in the system). 

Claim 19 

Davis discloses wherein the first embedded device to not authenticate the apparatus if 
the second embedded device determines the host platform is not secure (see at least, 
[0076]: the examiner notes verifying application integrity and [0080]: the examiner notes 
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an anti-tamper system within the security processor checks the integrity of the flash 
content (e.g. application integrity) and in which it can serve as a trusted device to 
authenticate another hardware security token connected on (e.g. [0042])) 

Claim 20 and 25 

Davis discloses further comprising a bi-direction private bus between the first and 
second embedded device (see at least, [0080]: the examiner notes a the security 
processor is the first embedded device and contains the anti-tamper system which is 
the second embedded device and its communication would be private from the host 
processor (e.g. [0025]: the examiner notes segregated (e.g. private)) and further I/O is 
a bi-directional bus (eg. [0031]) 

Claim 24 

Davis discloses wherein the embedded chipset comprises an embedded controller 
agent and an embedded firmware agent, the firmware agent to determine the integrity of 
the host platform (see at least, [0080]: the examiner notes an anti-tamper system is 
embedded device that contains circuits to check health and integrity of the content in 
the system)., and the controller agent to operate the private communication channel and 
manage access by the host platform to secure network connections (see at least, 
[0025]: the examiner notes security processing is segregated from other processing 
(e.g. protected) and further this is interpreted to include OS processing and [0026]: the 
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examiner notes the security processing performs all network processing and would also 
be segregated from the other processing (e.g. OS processing of the client). 

Claims 5 and 33 are rejected under 35 U.S.C. 103(a) as being unpatentable over Davis 
et al. (US 2005/0076228 A1) in view of Ravietal. (US 2005/0204155 A1) and Remer et 
al. (US 7,076,653 B1 ) and Cromer et al. (US 2005/01 6621 3 A1 ) as applied to claim 1 
and 29 above, and further in view of Yokota et al. (US 2002/01 64035 A1 ). 

Claims 5 and 33 

Davis in view of Ravi and Remer and Cromer all fail to disclose updating at a client the 
symmetric cryptographic key provisioned across the multiple clients through a public 
and private key exchange with a public and private key associated the client. 

However Yokota discloses updating at a client the symmetric cryptographic key 
provisioned across the multiple clients through a public and private key exchange with a 
public and private key associated the client (see at least, abstract) 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the teachings Davis in view of Ravi to include updating at 
a client the symmetric cryptographic key provisioned across the multiple clients through 
a public and private key exchange with a public and private key associated the client as 
taught by Yokota. One of ordinary skill in the art at the time the invention was made 
would have been motivated to combine the teachings in order to enable key 
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management center to take the initiative by updated keys or a plurality keys at once 
thereby conforming to a public key cryptosystem (see at least, Yokota, [0014]). 

Claims 9 and 37 are rejected under 35 U.S.C. 103(a) as being unpatentable over Davis 
et al. (US 2005/0076228 A1) in view of Ravietal. (US 2005/0204155 A1) and Remer et 
al. (US 7,076,653 B1 ) and Cromer et al. (US 2005/01 6621 3 A1 ) as applied to claim 1 
and 29 above, and further in view of Walker et al. (US 2002/0163920 A1). 

Claims 9 and 37 

Davis in view of Ravi and Remer and Cromer disclose the embedded agent (see claim 
1 ) however all fail to disclose further comprising performing cryptographic functions on 
data with the key to authenticate data with the key. 

However Walker discloses performing cryptographic functions on data with the 
key to authenticate data with the key (see at least, [0012]: the examiner notes a shared 
key is used to authenticate packets (e.g. data) that are transported)). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the teachings Davis in view of Ravi to include performing 
cryptographic functions on data with the key to authenticate data with the key as taught 
by Walker. One of ordinary skill in the art at the time the invention was made would 
have been motivated to combine the teachings in order to establish confidence that a 
packet came from the party established by a security association (see at least, Walker, 
[0012-0013]). 
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Claims 10, 17, 28, and 38 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Davis et al. (US 2005/0076228 A1 ) in view of Ravi et al. (US 2005/02041 55 A1 ) 
and Remer etal. (US 7,076,653 B1)and Cromer etal. (US 2005/0166213 A1) as 
applied to claims, 1 , 1 1 , 22, and 29, and further in view of Ylonen (US 6,782,474 B1 ) 

Davis in view of Ravi and Remer and Cromer disclose the embedded agent (see claim 
1 ) however all fail to disclose further comprising including a derivate of the key in the 
header of the data to be transmitted to authenticate data with the key. 

However Ylonen discloses further comprising including a derivate of the key in 
the header of the data to be transmitted to authenticate data with the key (see at least, 
col. 1 , lines 56-col. 2, lines 2: the examiner notes a AH is header that contains a 
computed MAC which is a derivative of the sharked key). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the teachings Davis in view of Ravi and Remer and 
Cromer to include including a derivate of the key in the header of the data to be 
transmitted to authenticate data with the key as taught by Ylonen. One of ordinary skill 
in the art at the time the invention was made would have been motivated to combine the 
teachings in order to establish implement authentication and security when information 
travels through the network (see at least, Ylonen, col. 1 , lines 34-35 and col. 1 , lines 
56-co;. 2, lines 2). 
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Claims 12 and 23 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Davis et al. (US 2005/0076228 A1) in view of Ravi et al. (US 2005/0204155 A1 ) and 
Remer et al. (US 7,076,653 B1) and Cromer et al. (US 2005/0166213 A1) as applied to 
claim 1 1 and 22 above, and further in view of Grohoski et al. (US 2004/0225885 A1 ). 

Claims 12 and 23 

Davis in view of Ravi and Remer and Cromer discloses wherein the embedded device 
to have a transparent network link comprises the embedded device to have a network 
connection not accessible by the host platform, the link to comply with the secure 
protocol (see at least, Davis, [0025], [0026], [0048], and [0076]), however all fail to 
disclose wherein the secure protocol is a TLS protocol. 

However Grohoski discloses wherein the secure protocol is a TLS protocol (see 
at least, [0167]) 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the teachings of Davis in view of Ravi and Remer and 
Cromer to include the use of TLS protocol because as taught by Grohoski. One of 
ordinary skill in the art at the time the invention was made would have been motivated 
to combine the teachings in order to provide a processor that can support higher speed 
encryption and decryption as required by SSL/TLS (see at least, Grohoski, [0056]). 
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Claim 21 is rejected under 35 U.S.C. 103(a) as being unpatentable over Davis et al. (US 
2005/0076228 A1) in view of Ravi et al. (US 2005/0204155 A1) and Remer et al. (US 
7,076,653 B1) and Cromer et al. (US 2005/0166213 A1) as applied to claim 29 above, 
and further in view of Kramer et al. (US 2005/0201554 A1). 

Davis in view of Ravi and Remer and Cromer all fail to disclose further comprising a 
counter mode hardware cryptographic module on the host platform to encipher traffic 
with the cryptographic key and further provide a counter mode enciphered of the 
enciphered traffic. 

However Kramer discloses further comprising a counter mode hardware 
cryptographic module on the host platform to encipher traffic with the cryptographic key 
and further provide a counter mode enciphered of the enciphered traffic (see at least, 
[0058] and [0070]). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the teachings of Davis in view of Ravi and Remer and 
Cromer to include further comprising a counter mode hardware cryptographic module 
on the host platform to encipher traffic with the cryptographic key and further provide a 
counter mode enciphered of the enciphered traffic as taught by Kramer. One of 
ordinary skill in the art at the time the invention was made would have been motivated 
to combine the teachings in order to provide encrypting and decrypting data in a 
network while minimizing interference with future extensions of existing protocols (see 
at least, Kramer, [0009]). 
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Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to KARI L. SCHMIDT whose telephone number is (571) 
270-1385. The examiner can normally be reached on Monday - Friday: 8:30am - 
5:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Edan Orgad can be reached on 571-272-7884. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Kari L Schmidt/ 
Examiner, Art Unit 2439 



/Edan Orgad/ 
Supervisory Patent Examiner, Art Unit 2439 



